Planning for Pandemics and Other Disasters

In part one of our conversation with Dan Lohrmann last week (see http://esj.com/security/article.aspx?EditorialsID=2452), we explored a wide range of issues, from what private and public sector security pros are missing to external versus internal threats and the nature of network intruders.

This week we discuss disaster planning with the chief information security officer (CISO) for the state of Michigan. Dan is also an executive board member of the Multi-State Information Sharing and Analysis Center (MS-ISAC), which coordinates cybersecurity actions among the 50 states. He sits on the Department of Homeland Security's IT Government Coordinating Council (GCC) which involves writing and implementing the National Infrastructure Protection Plan (NIPP) IT Sector Plan.

- - -

ESJ: When you look at Katrina and other disasters, what should corporations and institutions examine in their disaster planning?

DL: I think one of the biggest challenges facing us in Michigan and around the country is the pandemic challenge. We have a Pandemic Influenza Coordinating Committee that I think one of the biggest challenges there is trying to deal with the different set of issues than bombs going off.

A lot of organizations have good DR [disaster recovery] plans and business continuity plans around storms and other natural disasters. Down in Florida, they have incredible processes developed through the school of hard knocks that they have put together for hurricanes because they’ve lived it. They know how to deal with those kinds of things.

The challenge with pandemic influenza is the different set of issues. The buildings are there, the networks are all up, but the people aren’t there. The people can’t get together, so now you have to manage even more things remotely. You have people at home. You have a huge potential for major disruption.

Depending on the severity, and I am talking worst-case scenario, but I am on several committees working on the business aspects side right now. Some scenarios are eye-openers. No schools are open forcing parents to stay home. All business are closed. There are no sporting events. There are no restaurants. The economic impact to society is scary.

It changes a lot of paradigms. It’s more than just traditional “what do you do to get a laptop working in the house?”

It begs many hard questions that governments face. If this really happens, and the projections say it will sometime in the next thirty years, the questions get very different. What are you doing? How do you provide the services? Who is going to show up for work? We have the models but they haven’t been tested yet..

We do tabletop exercises [simulations]. We are very involved in Michigan in our emergency management program. We get involved in nuclear exercises—all sorts of exercises—including the CyberStorm exercise.

We work with other states and other countries, the UK, Canada, Australia, around “what-if you had an attack.” In almost every scenario, the presumption is the people are available. But for bird flu, now try the scenario with half the people. Then try it with a quarter of the people. Those are really challenging scenarios.

I think that is one of our largest challenges now, one of the biggest challenges in the country, as a nation, and in the world because it changes the paradigm for responding if we have a pandemic bird flu scenario.

ESJ: In the case of bird flu and that people will shift their working location, the services and knowledge enterprises may do better but might the other enterprises, the manufacturing and other “brick-and-mortar”companies, not do so well?

DL: That’s part of it. For us, it is how do you run state government in that environment? It also gets complicated because of assumptions on a wide range of key questions, such as the size of the outbreak and the percentage of the population stays out from work.

From the security perspective, do you relax policies? I’ll give a quick example. We have a policy that people can use their [state-provided] laptops from home. They are allowed to connect to their home network and we have a set of rules of what they can and cannot do. We don’t allow people to use home PCs for [accessing] sensitive information. I think that makes sense. Once a person stores sensitive information on a home PC, we’ve lost control of it. I don’t have all the Symantec tools on the PC. I can’t monitor and manage the PC.

ESJ: So once you have shadow data running about, you’re in trouble?

DL: Yes, so we may need to relax that rule massively in a pandemic. We may need to get people connected and utilize home PCs. So the policy changes which changes security dramatically. You may allow it, but now you may need to clean up the mess three months to six months later, and your information is all over the place. I hope we don’t have to go there, but that [prohibition] is our current policy.

ESJ: You mentioned that you don’t have those tools on the employee’s home PC. Doesn’t that hint that enterprises and institutions may need to take a more active role in working with their employees on their home systems?

DL: Correct. It begs a lot of questions. It also begs your [equipment] refresh cycle: do you refresh with desktops or laptops.

I know my colleagues in Florida state government. They mandated telework for their employees one day a week so they are always ready for hurricanes. They are living with laptops, and they view that [strategy] as a strength. People are used to working that way. In a hurricane situation, where the main data center or offices are destroyed or out-of-commission, the employees still function because they have been decentralized.

There is a variety of scenarios and assumptions. When would you change policy? When would you relax policy? If it’s ten years from now and everyone has laptops, maybe the whole thing changes again. But right now, it’s a relatively small number of employees (about 5,000 for Michigan state employees)—most of them have laptops. Most of them have desktops. Depending on your mix, you might have different answers to your policy questions.

ESJ: After bird flu and other disasters, what other security items should institutions and corporations consider?

DL: One thing I’ve seen where the government does better than the private sector is the tabletop exercises [simulations], actually testing your plans. We do a lot of that in state government, based on nuclear exercises and other things.

For example, at the CSO conference this in March in Colorado Springs they are having a Sunday tabletop exercise like Cyberstorm because a lot of CIOs and CSOs have never been in a tabletop before. I was amazed because I’ve probably been involved in forty tabletop exercises in the last five years. I been involved in the Y2K and simulations, testing, running drills, and actually going through full-scale exercises. I think practice makes perfect and I highly recommend it. You learn things you didn’t think about, particularly when you get the business leaders in the room. The various aspects of people and processes, you get some surprising answers.

Security is a huge area, but specific interests depend on where people are as an organization and their maturity. We’re developing the subject list for the multistate ISAC which my colleagues from all 50 states will attend in Minneapolis in April. Some people are still in their early phase and are interested in how to build a security budget, how do I get people’s attention, how do I get buy-in from the businesses, and how do I get people to take a serious look at security.

On the other extreme, we’re struggling here in Michigan on building security into every aspect of the lifecycle. At the beginning of the project, we are getting security into the contract and into the initial builds. We are scanning databases for vulnerabilities and looking to see if the code is secure. We examine the full lifecycle from requirements definition all the way to operations and maintenance after it is deployed. Working on that discipline is hard because as a result it [security] becomes part of the DNA of the organization. It’s always a struggle between cost and value and what the benefits are.

Security is huge. Anything that has to do with IT has security implication.

ESJ: You’ve touched on natural disasters but haven’t said much about man-made disasters. Should there be different reactions to those and what’s the chance of them happening?

DL: In Michigan we look at all threats. If a data center is destroyed, whether it is a tornado, a bomb, or other cause, the data center is still destroyed.

One thing we did with Homeland Security money was laying out risk assessments and responses. For example, after a power outage in 2003 one main core data centers had generators but two others didn’t. So putting generators on the remaining centers became one of our highest priorities. Last February, a substation went out in the secondary complex here in Michigan and we had a blackout. It was one small area where two of our data centers are located. Because we had those generators, we stayed operational and no state services were disrupted, so it’s already paid a dividend.

Maybe those are common-sense answers, but there are a lot of government systems that I would classify as “critical” that don’t have generators on them.

We use an all-threat approach. This point is: what is the likelihood? That’s what the Department of Homeland Security [DHS] is trying to figure out. We filled out a lot of surveys and DHS ranks it, such as what is the threat against Detroit versus against New York or Washington D.C. They’ve done threat-based grant allocations.

I don’t have statistics of a nuclear weapon hitting Lansing, but those questions have been asked of us. Do we need a hot site? If so, should it be in Boulder, CO or forty miles away? We’ve looked at those questions and, based on assumptions, you can come up with different answers.

I think the likelihood we are going to be attacked from a cyber perspective is 100 percent because it is happening now. The likelihood of an Al Qaeda bomb exploding in our data center is pretty low, but we still have to look at it from an all-threats perspective.

ESJ: Obviously, law enforcement and medical needs to be up 24 by 7 by 365. What other systems, and maybe the less-obvious ones, need that kind of uptime?

DL: Medicare, Medicaid, food stamps—you have sustenance needs that rely on the state. We learned from the Detroit blackout about food and water safety, the DEQ [Department of Environmental Quality] databases for restaurants. Inspectors were shutting down restaurants because they didn’t have power [for refrigeration] and the food was unsafe. You won’t think of DEQ restaurant inspectors as being critical, but people didn’t have food because it was spoiled and they were going out to restaurants.

The list isn’t huge. We have only 97 critical functions of government we believe must be operational in an emergency within 12 to 24 hours. Part of the list is public; part of the list isn’t for a variety of reasons. If you think about it, it makes sense.

ESJ: What is the number one piece of advice you would give to corporations?

DL: I would say you need to build a team that understands your business and understands your risks, and be sure that organization has adequate funding to do the job they need to do.